Stealth Malware Turns Servers into Spambots

Monday, May 4, 2015 @ 02:05 PM gHale

For at least five years servers around the world running Linux and BSD operating systems ended up targeted by a compromise via a backdoor Trojan that led them to send out spam, researchers said.

It appears the attackers have a connection to a software company called Yellsoft, which sells DirectMailer, a “system for automated email distribution” that allows users to send out anonymous email, said researchers at ESET.

This operation succeeded in remaining hidden for so long thanks to several factors: The sophistication of the malware used, its stealth and persistence, the fact the spammers aren’t constantly infecting new machines, and that each of the infected machines didn’t send out spam all the time.

The researcher began their investigation with a piece of malware they found on a server blacklisted for sending spam. They called the malware Mumblehard. After analyzing it, they found it has several distinct components: A generic backdoor that contacts its C&C server and downloads the spammer component and a general purpose-proxy.

“Mumblehard components are mainly Perl scripts encrypted and packed inside ELF binaries. In some cases, the Perl script contains another ELF executable with the same packer in the fashion of a Russian nesting doll,” said researcher Marc-Etienne Leveille in a paper. “We got interested in this threat because the way the Perl scripts used by the cybercriminals are packed inside ELF executables is uncommon and more complex than the average server threat.”

Thanks to the fact the backdoor always and repeatedly tries to contact all of the 10 C&C domains listed in its configuration file, the researchers have managed to take control of one of them (its registration had expired), which allowed them to monitor the activity of the infected hosts between September 19 2014 and April 22 this year.

“During the period over which we collected data, we saw Mumblehard queries from 8,867 unique IP addresses. The majority of them are servers that are used for hosting websites,” Leveille said. “We can see that the number of infected hosts is slowly decreasing, but has timely increases from time to time. The operators are initiating discrete waves of server infection rather than spreading in a continuous fashion.”

The C&C server did not always send commands to the bots to start spamming. Sometimes it did, for hours. Other days it would stay silent, and the bots remained dormant.

But it was the addresses of the C&C servers hardcoded in the Mumblehard samples what led the researchers to Yellsoft, as there is indication the company’s web server is hosting them.

A look at the company’s page reveals that DirectMailer is in Perl and runs on UNIX-type systems. “Pretty much like Mumblehard,” Leveille points out.

The price of the software is $240, but there is a link to a site offering a “cracked” version of DirectMailer. The developers said they don’t provide technical support for users of pirated versions of DirectMailer downloaded from that site or any other.

“Why would you want to show where to steal your software?” Leveille asked. He added the fact that Yellsoft’s homepage seems appears hosted on the same server as Mumblehard’s backdoor and spammer C&C server and the pirated DirectMailer and Mumblehard’s spammer share code what makes them suspect they are the same group.

The pirated DirectMailer copies contain the Mumblehard backdoor, and when users install them, they give the operators a backdoor to their servers, and allow them to send spam from and proxy traffic through them.

For more details about the malware and for indicators of compromise, click here for the white paper.